The (logically) centralised architecture of the software-defined networks makes them an easy target for packet injection attacks. In these attacks, the attacker injects malicious packets into the SDN network to affect the services and performance of the SDN controller and overflow the capacity of the SDN switches. Such attacks have been shown to ultimately stop the network functioning in real-time, leading to network breakdowns. There have been significant works on detecting and defending against similar DoS attacks in non-SDN networks, but detection and protection techniques for SDN against packet injection attacks are still in their infancy. Furthermore, many of the proposed solutions have been shown to be easily by-passed by simple modifications to the attacking packets or by altering the attacking profile. In this paper, we develop novel Graph Convolutional Neural Network models and algorithms for grouping network nodes/users into security classes by learning from network data. We start with two simple classes - nodes that engage in suspicious packet injection attacks and nodes that are not. From these classes, we then partition the network into separate segments with different security policies using distributed Ryu controllers in an SDN network. We show in experiments on an emulated SDN that our detection solution outperforms alternative approaches with above 99\% detection accuracy on various types (both old and new) of injection attacks. More importantly, our mitigation solution maintains continuous functions of non-compromised nodes while isolating compromised/suspicious nodes in real-time. All code and data are publicly available for reproducibility of our results.
翻译:由软件定义的网络的中央结构( 逻辑上) 使得这些网络成为简易的注射攻击目标。 在这些攻击中, 攻击者将恶意的包裹输入SDN网络, 以影响SDN控制器的服务和性能, 并溢出SDN开关的能力。 这些攻击显示最终停止网络的实时运作, 导致网络崩溃。 在非SDN网络中发现和防御类似的DoS袭击方面做了大量工作, 但是SDN对包裹注射攻击的探测和保护技术仍然处于初级阶段。 此外, 许多拟议的解决方案通过简单修改攻击包或改变攻击配置, 被SDN网络中显示很容易被恶意的包裹所接受。 在本文中, 我们开发了新型的图形革命神经网络模型和算法, 将网络节点/用户分组到安全课程, 学习网络数据。 我们从两个简单的类别开始, 使用可疑的包装注射攻击和节点, 我们从这些分类中, 然后将网络分为不同的部分, 使用分布式的网络控制器, 来简单地修改攻击组合的软件, 在SDDRN 的精确性测试中, 。 我们的老式的模型的模型的模型的模型的实验 继续复制, 。